Configuring Single Sign-on

 

This topic includes the following sections:

• Single Sign-on with Username/Password Authentication

• Single Sign-on with Username/Password Authentication and the SSL Protocol

• Single Sign-on with the SSL Protocol and Certificate-Based Authentication

 

---

Single Sign-on with Username/Password Authentication

The steps for implementing single sign-on with username/password authentication are as follows:

1. In the CORBA.connectionpool section of the weblogic.properties file define the following properties:

   • appaddrlist=//host:port

     where the host and port specify the name and port number of the IIOP Listener/Handler in the WebLogic Enterprise domain you want to access. For more information about the different address formats supported in the WebLogic Enterprise product, see Understanding the Address Formats of the Bootstrap Object.

   • username as the name of the WebLogic Server principal.

   • userpassword as the password for the WebLogic Server principal

   • apppassword as the password of the WebLogic Enterprise application you want to access.

   • securitycontext as Yes. Yes indicates that you want the security context of the WebLogic Server principal passed to the WebLogic Enterprise domain.

     Note: There are other properties in the CORBA.connectionpool section of the weblogic.properties file that are used to set up the connection pool. For more information about setting up CORBA connection pools, see Using WebLogic Enterprise Connectivity in the WebLogic Server portion of the WebLogic Enterprise online documentation.

2. Use the tpusradd command to define the WebLogic Server principal as an authorized user in the WebLogic Enterprise domain. The username and password for the WebLogic Server principal must appear in the tpusr file exactly as they are defined in the weblogic.properties file.

3. Set -E option of the ISL command to configure the IIOP Listener/Handler to detect and utilize the propagated security context from the WebLogic Server realm. The -E option of the ISL command requires you to specify a principal name. The principal name is the username as defined in the weblogic.properties file. The ISL command for the IIOP Listener/Handler is defined for the CLOPT parameter in the UBBCONFIG file for the WebLogic Enterprise domain.

4. Set the SECURITY parameter in the UBBCONFIG file to USER_AUTH or higher.

 

---

Single Sign-on with Username/Password Authentication and the SSL Protocol

The steps for implementing single sign-on with username/password authentication and the SSL protocol are as follows:

1. Configure the SSL protocol in the WebLogic Server and the WebLogic Enterprise environments.

   For information about configuring the SSL protocol in the WebLogic Server environment, see Using WebLogic SSL in the WebLogic Server portion of the WebLogic Enterprise online documentation.

   For information about configuring the SSL protocol in the WebLogic Enterprise environment, see The SSL Protocol.

2. In the CORBA.connectionpool section of the weblogic.properties file define the following properties:

   • appaddrlist=corbalocs://host:port

     where the host and port specify the name and port number of the IIOP Listener/Handler in the WebLogic Enterprise domain you want to access. For more information about the different address formats supported in the WebLogic Enterprise product, see Understanding the Address Formats of the Bootstrap Object.

   • username as the name of the WebLogic Server principal.

   • userpassword as the password for the WebLogic Server principal

   • apppassword as the password of the WebLogic Enterprise application you want to access.

   • securitycontext as Yes. Yes indicates that you want the security context of the WebLogic Server principal passed to the WebLogic Enterprise domain.

   • minencryptionlevel and maxecryptionlevel. These are optional properties. The valid values are 0, 40, 56, and 128. The default is 40 for the minencryptionlevel property. The maxecryptionlevel property defaults to the maximum strength allowed by the license. These two properties are used at the time of the SSL handshake to determine the encryption strength that will be used between the WebLogic Server and WebLogic Enterprise environments.

     Note: There are other properties in the CORBA.connectionpool section of the weblogic.properties file that are used to set up CORBA connection pools. For more information about setting up connection pools, see Using WebLogic Enterprise Connectivity in the WebLogic Server portion of the WebLogic Enterprise online documentation.

3. Use the tpusradd command to define the WebLogic Server principal as an authorized user in the WebLogic Enterprise domain. The username and password for the WebLogic Server principal must appear in the tpusr file exactly as they are defined in the weblogic.properties file.

4. Set -E option of the ISL command to configure the IIOP Listener/Handler to detect and utilize the propagated security context from the WebLogic Server realm. The -E option of the ISL command requires you to specify a principal name. The principal name is the username as defined in the weblogic.properties file. The ISL command for the IIOP Listener/Handler is defined for the CLOPT parameter in the UBBCONFIG file for the WebLogic Enterprise domain.

5. Set the SECURITY parameter in the UBBCONFIG file to USER_AUTH or higher.

 

---

Single Sign-on with the SSL Protocol and Certificate-Based Authentication

The steps for implementing single sign-on with the SSL protocol and certificate-based authentication are as follows:

1. Configure the SSL protocol in the WebLogic Server and the WebLogic Enterprise environments.

   For information about configuring the SSL protocol in the WebLogic Server environment, see Using WebLogic SSL in the WebLogic Server portion of the WebLogic Enterprise online documentation.

   For information about configuring the SSL protocol in the WebLogic Enterprise environment, see The SSL Protocol.

2. In the CORBA.connectionpool section of the weblogic.properties file define the following properties:

   • appaddrlist=corbalocs://host:port

     where the host and port specify the name and port number of the IIOP Listener/Handler in the WebLogic Enterprise domain you want to access.

   • username as email address of the subject of the digital certificate.

   • userpassword as private key of the digital certificate.

   • apppassword as the password of the WebLogic Enterprise application you want to access.

   • securitycontext as Yes. Yes indicates that you want the security context of the WebLogic Server principal passed to the WebLogic Enterprise domain.

   • minencryptionlevel and maxecrptionlevel. These are optional properties. The valid values are 0, 40, 56, and 128. The default is 40 for the minencryptionlevel property. The maxecryptionlevel property defaults to the maximum strength allowed by the license. These two properties are used at the time of the SSL handshake to determine the encryption strength that will be used between the WebLogic Server and WebLogic Enterprise environments.

   • certificatebasedauth as Yes. Yes indicates that certificate-based authentication is to be used.

     Note: There are other properties in the CORBA.connectionpool section of the weblogic.properties file that are used to set up the CORBA connection pool. For more information about setting up connection pools, see Using WebLogic Enterprise Connectivity in the WebLogic Server portion of the WebLogic Enterprise online documentation.

3. Use the tpusradd command to define the WebLogic Server principal as an authorized user in the WebLogic Enterprise domain. The username and password for the WebLogic Server principal must appear in the tpusr file exactly as they are defined in the weblogic.properties file.

4. Set -E option of the ISL command to configure the IIOP Listener/Handler to detect and utilize the propagated security context from the WebLogic Server realm. The -E option of the ISL command requires you to specify a principal name. The principal name is the username as defined in the weblogic.properties file. The ISL command for the IIOP Listener/Handler is defined for the CLOPT parameter in the UBBCONFIG file for the WebLogic Enterprise domain.

5. Set the -a option of the ISL command to configure the IIOP Listener/Handler to enable certificate-based authentication.The ISL command for the IIOP Listener/Handler is defined for the CLOPT parameter in the UBBCONFIG file for the WebLogic Enterprise domain.

6. Set the SECURITY parameter in the UBBCONFIG file to USER_AUTH or higher.

Using certificate-based authentication between the WebLogic Server environment and the WebLogic Enterprise environment implies performing a new SSL handshake to establish a connection from the WebLogic Server environment on a CORBA object, RMI object, or EJB in a WebLogic Enterprise environment is initiated. In order to support multiple client requests over the same SSL network connection, certificate-based authentication must be set up as follows:

• Obtain a digital certificate for the WebLogic Enterprise Connectivity process. This digital certificate is presented to the WebLogic Enterprise environment for the purpose of authenticating the identity of the WebLogic Enterprise Connectivity process. Once established, the authenticated connection between the WebLogic Enterprise Connectivity product and the WebLogic Enterprise environment remains.

• When a client request is made from the WebLogic Server environment on a CORBA object, RMI object, or EJB in the WebLogic Enterprise environment, digital certificates are exhanged between the WebLogic Server and WebLogic Enterprise environments and session keys are generated for both sides of the connection. Because WebLogic Connectivity is part of WebLogic Server, the WebLogic Connectivity process will accept any message from WebLogic Enterprise that has the sessions keys that were created when the SSL connection was established between the WebLogic Server and WebLogic Enterprise environments. The WebLogic Enterprise Connectivity process then forwards the client request using the established SSL connection to the WebLogic Enterprise environment.